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COMMUNICATIONS SYSTEM WITH FRAUD MONITORING 
CROSS REFERENCE TO RELATED CASES 

[01] This application is related to, and claims the benefit of the earlier filing date under 
35 U.S.C. § 119(e) of, U.S. Provisional Patent Application No. 60/276,923, filed March 
20, 2001, entitled "IP Communications," U.S. Provisional Patent Application No. 
60/276,953, filed March 20, 2001, entitled 'TP Communications," U.S. Provisional Patent 
Application No. 60/276,955, filed March 20, 2001, entitled "IP Communications," and 
U.S. Provisional Patent Application No. 60/276,954, filed March 20, 2001, entitled "IP 
Communications"; the entireties of which are incorporated herein by reference. 

TECHNICAL FIELD 

[02] The present invention relates to controlling fraudulent use of communications 
services and, more particularly, to the detection of fraudulent activities in a data transport 
network. 

BACKGROUND 

f03j The proliferation of data transport networks, most notably the Internet, is causing 
a revolution in telephony and other forms of real-time com munication. Businesses that 
have been accustomed to having telephony traffic and data traffic separately supported 
over different systems and networks are now moving towards so-called "converged 
networks" wherein telephone voice traffic and other forms of real-time media are 
converted into digital form and carried by a packet data network along with other forms 
of data. Now that the technologies are feasible to support it, voice over data transport 
offers many advantages in terms of reduced capital and operating costs, resource 
efficiency and flexibility. 

[04] For example, at commercial installations, customer premise equipment 
investments are substantially reduced as most of the enhanced functions, such as PBX 
and automatic call distribution functions, may reside in a service provider's network. 
Various types of gateways allow for sessions to be established even among diverse 
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systems such as IP phones, conventional analog phones and PBXs as well as with 
networked desktop computers. 

105] A new generation of end user terminal devices are now replacing the traditional 
telephones and even the more recent PBX phone sets. These new sets, such as those 
offered by Cisco Systems, Inc. and Pingtel Corporation, may connect directly to a 
common packet data network, via an Ethernet connection for example, and feature large 
visual displays to enhance the richness of the user interface. 

106] Even before such devices were developed, computers equipped with audio 
adapters and connected to the Internet were able to conduct some rudimentary form of 
Internet telephony, although the quality was unpredictable and often very poor. The 
emphasis now is upon adapting internet protocol (IP) networks and other packet transport 
networks to provide reliable toll-quality connections, easy call set-up and enhanced 
features to supply full-featured telephony as well as other forms of media transport. 
Some other types of media sessions enabled by such techniques may include video, high 
quality audio, multi-party conferencing, messaging and collabo rative applications. 
[07J Of course, as a business or residential communications subscriber begins using 
such voice-over-packet communications to replace conventional telephony, there will 
naturally be an expectation that the quality of the connections and the variety of services 
will be at least as good as in the former telephone network. There is also an expectation 
that the new types of networks will be less susceptible to fraudulent use of 
communications service - or at least no worse than their predecessors. 
[08] However, employing a packet data transport for telephony introduces new 
vulnerabiUties beyond those experienced with the traditional circuit -switched telephone 
network. The concern over security of communications in the public Internet is well 
known and has received considerable attention in light of countless identity thefts, 
hacking attacks, viruses, denial-of-service attacks, security breaches and other threats to 
reliable, confidential communications. These threats take on further significance as , in 
the case of packet telephony, the traffic streams are metered and revenue -bearing. 
109] In response to these threats, a growing array of security countermeasures 
(firewalls, NAT, secure connections, encryption schemes, secure Internet protocol 
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(IPsec), vulnerability probes) have been developed to defend against such crippling 
attacks on data networks. 

[101 Of course, any of these security measures that were spawned by data network 
security may be beneficial to the prevention of attacks in telephony data networks. One 
area of particular vulnerability for some packet telephony systems stems from the fact 
that signaling, bearer traffic, and network management communications all share the 
same transport network. The call control systems communicate among themse Ives and to 
the network elements (such as gateways) using the same network that carries packets of 
customer data. To put things simply, one may send data to any point in a packet network 
as long as the address of the point is known, the fact that the call control servers are 
coupled through the transport network opens the possibility that a fraud perpetrator might 
attempt to communicate directly with a network server, either to impede the operation of 
the server or to send mock communications requests so as to fool the server into 
providing free communications services. Fortunately, network security measures, such 
as the use of BPsec tunnels between legitimate endpoints, are largely effective against 
these kinds of attacks. 

[11] While data network security measures may be employed to help defend against 
certain types of attacks against a telephony data network, there are a variety of fraud 
schemes that are not detected or prevented by such measures. 

[12] Various fraud schemes are known by which fraud perpetrators are able to steal 
communications services. Perpetrators have been able to steal calling card numbers, 
open false accounts, or otherwise manipulate equipment or people to get services without 
paying. Many of the possible fraud schemes have been well characterized in the PSTN 
and various techniques have been developed for detecting and preventing such abuses. 
[13] Unfortunately, there is a common misconception among those in the industry that 
the use of sufficient data network security measures should prevent a U manner of abuse 
and fraud, even in a packet telephony environment. In truth, the role of fraud monitoring 
can be distinct from, but complementary with, network security. Network security 
provides mechanisms (e.g., firewalls, authentication services, u ser IDs/passwords, etc.) to 
ensure that only authorized users gain access to network services. These security 
mechanisms have protection against internal abuse by authorized users and social 
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engineering situations. As a complementary capability, fraud monitoring provides a view 
into the services used on the network to ensure that none of the security mechanisms have 
been compromised or abused. Fraud monitoring facilitates identification of 
vulnerabilities in the network, protects a commercial customer by minimizing 
unauthorized use, and protects the service provider against revenue loss. 
114] In summary, network security focuses on fraud prevention, while fraud 
monitoring focuses on fraud detection. These network concerns must be addressed 
before customers invest in the adoption of new services and technologies. Customers are 
attracted to a converged solution because of the potential for new services and enhance 
functions, but are apprehensive about new security risks and avenues of fraud 

SUMMARY 

115] The present invention meets the need for a fraud monitoring capability to 
complement other security measures in a voice-over-packet communications system. 
[16] To the extent that a packet telephony network operates analogously to a 
traditional network and many of the same fraud schemes apply, the present invention 
advantageously adapts an existing fraud detection system for use with a packet telephony 
network. This means that existing tools and practices developed for the traditional 
telephone network may be immediately applied in the realm of packet telephony. 
[17] Additionally, where packet telephony introduces new aspects or surfaces new 
sources of information beyond what was observed in traditional telephony, the present 
invention provides for the collection of new indicators and the implementation of new 
detection methods. 

[18] In another aspect, the present invention also provides for a single fraud 
monitoring platform to serve both conventional and packet-switched telephony systems. 
In particular, the present invention provides for the collection, correlation and collective 
processing of usage activity information derived from both circuit-switched and packet- 
switched domains. This is a novel capability for reviewing all aspects of calls, even those 
that involve gateways and are carried over both forms of transport. 
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1 19) In accordance with an aspect of the present invention, network servers performing 
call processing, or more appropriately "session processing", in the packet telephony 
system create transaction detail records reflecting each call or session request that was 
handled by the server. What is recorded may include network addresses, call 
dispositions, feature invocations, time of day, etc. These transaction detail records are 
forwarded through an operations support system and eventually processed by a fraud 
monitoring engine that looks for various patterns of fraud. In accordance with a preferred 
embodiment, such records are provided in an XML (extensible Mark-up Language) 
format. 

|20J In another aspect of the present invention, network gateways, which adapt 
signaling and bearer channels among circuit-switched and packet-switched networks, also 
generate call detail records (CDRs) of the more traditional type and forward those to a 
collection process. These CDRs convey information about PSTN-types of events. 
Eventually, these CDRs are correlated with the records from the network servers and the 
fraud monitoring system is then able to get an overall picture of each call, even when a 
call involves both types of networks. 

[21J To facilitate use of such CDRs, such as for correlation to packet network events, 
the present teachings provide that CDRs may be augmented in a novel fashion with 
additional information having particular significance in a mixed packet-switched and 
circuit-switched environment 

[22] While the present invention is shown and described in the context of packet- 
switched telephony, it will be apparent that it may be similarly applicable to other forms 
of communication, such as video conferencing or other data streaming, where a 
perpetrator seeks to steal network resources. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[23] The present invention is illustrated by way of example, and not by way of 
limitation, in the figures of the accompanying drawings and in which like reference 
numerals refer to similar elements and in which: 
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|24] FIG. 1 is a diagram of a data communications system capable of supporting 
telephony services and comprising means for monitoring usage activities in accordance 
with an exemplary embodiment of the present inv ention; 

[25] FIG. 2 is a diagram of functional elements involved in establishing a session 

among parties according to an exemplary embodiment of the present invention; 

[26] FIG. 3 is a diagram of functional elements for monitoring usage activity of a 

communications system in accordance with an exemplary embodiment of the present 

invention; 

[27] FIG. 4 is a flowchart describing a process for processing records of usage activity 
from a communications system in accordance with an exemplary embodiment of the 
present invention; 

[28] FIG. 5 is a diagram of a computer system with which an embodiment of the 
present invention may be implemented; 

[29] FIG. 6 is a diagram of a data structure for conveying recorded usage of a 
communications system in accordance with an exemplary embodiment of the present 
invention; and 

[30] FIG. 7 is a diagram of a fraud analyzing apparatus in accordance with an 
exemplary embodiment of the present invention. 

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENT 
[31] In the following description, well-known structures and devices may be shown in 
block diagram form or otherwise summarized in order to avoid unnecessarily obscuring 
the present invention. For the purposes of explanation, numerous specific details are set 
forth in order to provide a thorough understanding of the present invention. It should be 
understood however that the present invention may be practiced in a variety of ways 
beyond these specific details. 

[32] For example, although the present invention is discussed in the context of the 
Session Initiation Protocol (SIP) and an Internet Protocol (IP)-based network, one of 
ordinary skill in the art will recognize that the present invention may be generally 
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applicable to other equivalent or analogous communication protocols (ITU H.323) or 
communications networks (ATM, frame relay, etc) 

[33] Fraud vulnerabilities in business communications systems largely involve the 
following: abuse by employees or ex-employees, subscription fraud, remote access fraud, 
misconfigured dialing plans, and social engineering. Customer Premise Equipment 
(CPE)-related fraud occurs when a third party gains unauthorized access to a Private 
Branch eXchange (PBX) switch and "steals dial-tone" to make outgoing calls, or an 
employee abuses long distance calling or other costly PBX-provided features for non - 
business purposes. These outgoing calls are charged back to the owner of the CPE 
regardless of the origination of the call (on -network or off-network). 
f34] In the case of subscription fraud, a small business may "set up shop" with false 
credentials with no intention of paying. The delay in the service provider recognizing 
this situation gives the perpetrator time to accumulate substantial charges. 
[35] In the case of remote access fraud, an unauthorized user may steal, or determine 
by "hacking", authentication information that permits access to the network, such as SIP 
phone user IDs and or passwords. 

136] Fraud relating to a "leaky PBX" may stem from a customer improperly 
configuring the PBX such that a certain feature of the PBX may be enabled and 
compromised by a former employee. Additionally, incorrectly setting dialing plan 
configurations may result in unintended privileges to certain users; for example, a 
department can place international calls, although its dialing plan should only permit 
them to call domestically. 

137] Social engineering refers to the practice of obtaining information of services 
through a person who answers a call (such as a PBX operator) by pretending to be a 
legitimate caller in need of assistance. For example, a caller from an outside line is 
forwarded to a company operator and convinces the operator that the user is an employee 
who needs to make an off- network call. It is observed that business customers are 
generally subjected to PBX hacking, internal abuse, and social engineering. 
[38] Preventive measures have been proposed or implemented to reduce the 
susceptibility of such networks on several fronts. Some of these measures address "low- 
level" vulnerabilities, such as the exposure of an IP -addressable resource to an 
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overwhelming influx of data packets. An example of measures taken in a data network to 
prevent these so-called "demal-of-service" attacks is described in the following 
copending patent applications which are hereby incorporated by reference in their 
entireties: U.S. Patent Application No. 10/023,331 (Attorney Docket No. RIC01044), 
filed on December 17, 2001, entitled "Virtual Private Network (VPN)- Aware Customer 
Premises Equipment (CPE) Edge Router" by McDysan; U.S. Patent Application No. 
10/023,043 (Attorney Docket No. RIC01059), filed on December 17, 2001, entitled 
"System, Method and Apparatus That Employ Virtual Private Networks to Resist IP QoS 
Denial of Service Attacks'* by McDysan et aL; and U.S. Patent Application No. 
10/023,332 (Attorney Docket No. RIC01060), filed on December 17, 2001, entitled 
"System, Method and Apparatus That Isolate Virtual Private Network (VPN) and Best 
Effort Traffic to Resist Denial of Service Attacks" by McDysan. 

[39] On a different front, the aforementioned vulnerability introduced by having call 
control elements coupled through the transport network is addressed by the following co- 
pending application: U.S. Patent Application No. / (Attorney Docket No. 
RIC98051P1), filed on March 15, 2002, entitled "Method of and System for Providing 
Intelligent Network Control Services In IP Telephony by Gallant et al., the content of 
which is incorporated by reference in its entirety. 

[40] On yet another front, an example of higher level service processing to curtail 
fraud or even inadvertant abuse, in the context of advanced features may be termed 
"feature-associated call screening." It is possible for call forwarding and certain other 
features to complete calls that would otherwise be blocked, such as costly international 
calls. At least one approach for preventing this circumvention of desired screening is 
described in the following co -pending patent applications which are hereby incorporated 
by reference herein in their entireties: U.S. Patent Application No. / , (Attorney 
Docket No. RIC01064), filed on March 15, 2002, entitled "Selective Feature Blocking in 
a Communications Network 5 ' by Gallant; and U.S. Patent Application No. / 
(Attorney Docket No. RIC02007PR), filed on March 15, 2002, entitled 'featuring 
Blocking in Communication Systems" by Gallant et al. 

[41 1 Of course, it is desirable that security measures may not be so extreme as to 
impede legitimate use of the communications system. Special approaches may be 
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appropriate to draw a compromise between usefulness of the system and absolute 
security. For example, in some environments, such as a very publicly accessible service 
business, it may be appropriate to liberally allow calls from parties who are not 
authenticated through the network. In other environments, such as a defense contractor, 
it may be more important to restrict the reach of inbound calls. Such scenarios are 
described further in U.S. Patent Application No. / (Attorney Docket No. 

RIC02002), filed on March 15, 2002, entitled "Caller Treatment in a SIP Network" by 
Gallant et al., the content of which is incorporated by reference in its entirety (non-trusted 
user). 

[42] FIG. 1 shows a diagram of a data communications system generally capable of 
supporting telephony services, in accordance with an exemplary embodiment of the 
present invention. The communication system 100 includes, a packet data transport 
network 101, which in an exemplary embodiment is an Internet Protocol (IP) based 
network. System 100 provides the ability to establish c ommunications among various 
terminal equipment coupled thereto, such as telephone 125, PBX phone 118 and SIP 
phone 109. In practice, there may be thousands or millions of such terminal devices 
served by one or more systems 100. 

[43] As used herein, the term "SIP phone" refers to any client (e.g., a personal 
computer, a web-appliance, etc.) that is configured to provide SIP phone functions. The 
SIP phones 109 may take the form of standalone devices - e.g., a SIP phone may be 
designed and configured to function and appear like a Plain Old Telephone Service 
(POTS) telephone station. A SIP client 111, however, is a software client and may that 
run, for example, on a conventional personal computer (PC) or laptop computer. From a 
signaling perspective, these devices 109, 111 may operate quite similarly, with the main 
differences relating to the user interface. Unless otherwise stated, it is recognized that the 
functionalities of both the SIP phones 109 and the SIP client 1 1 1 are comparable and that 
the network operates similarly with either type of device. 

[44] System 100 is able to support large enterprise customers who maintain multiple 
locations having telephony and data transport requirements. For example, in FIG. 1, a 
first customer site 150 and a second customer site 152 are depicted, each comprising 
telephones 118 and PBXs 117. These may be customer sites of the type that were 
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traditionally coupled through a Class 3 network, such as switch network 137, via the 
PBXsll7. 

{45J In accordance with more recent technologies, customer sites 150 and 152 further 
comprise data communications equipment, namely local area networks (LANs) 140 and 
142, SIP phones 109, and PC clients 111. At each customer site, an enterprise gateway 
103 is provided to allow users at telephones 1 18 through PBXs 1 17 to readily make calls 
to and receive calls from users of SIP phones 1 09 and PC clients 111. 
[46J A gateway is a device that allows divergent transport networks to cooperatively 
carry traffic. A gateway often provides for interoperation at two levels - between 
different signaling schemes and between different media forms. For example, network 
gateway 107 may adapt between the SS7 signaling of the telephone network and SIP or 
H.323 protocols used by the data network. At the same time, network gateway adapts 
analog or PCM-encoded voice signals in a telephone bearer channel to a packetized data 
streams suitable for transport over data network 101. 

[47] Enterprise gateways 103 adapt between PBX signals and data signals for transport 
over a data network such as LAN 140 or the service provider's network 101. As a 
signaling interface to PBX 117, enterprise gateway 103 may use Integrated Digital 
Services Network (ISDN), Circuit Associated Signaling (CAS), or other PBX interfaces 
(e.g., European Telecommunications Standards Institute (ETSI) PRI, R2). As shown, 
enterprise gateway 103 provides connectivity from a PBX 117, which contains trunks or 
lines often for a single business customer or location (e.g., PBX phones 1 18). Signaling 
for calls from PBX 117 into the IP network comprises information which uniquely 
identifies the customer, trunk group, or carrier. This allows private numbers to be 
interpreted in their correct context. 

[48J By virtue of the service provider's data network 101, any of the users at c ustomer 
site 150 may readily communicate with those at site 152. It is also conceivable that data 
network 101 may be coupled to the public Internet 127, opening the possibility that 
communications might be established with PC clients 1 12, or the like, tha t are not within 
either customer site 150 or 152. 

[49] Network gateway 107, introduced earlier, is shown to adapt data network 101 to a 
telephone network 137 which may comprise a network of Class 3 telephone switches, for 
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example. PBX 117' and telephones 118' may be coupled to network 137 in the more 
traditional manner of a VPN dedicated access line. Furthermore, network 137 is shown 
coupled by a trunk to the PSTN 123, representing the typical Class 5 local telephone 
exchanges. A plain analog phone 125 or other telephone (pay phone) may be connected 
to PSTN 123 through a subscriber loop. 

[50] As shown in FIG. 1, network gateway 107 enables calls from telephones 1 18' and 
125 to any of PBX-connected phones 118, SIP phones 109 or PC clients 111, assuming 
system 100 gives such privileges. Any combination of calls from one type of phone to 
another may readily be envisioned, many of which involve the traversal of network 
gateway 107 and other elements. 

[51] Both SIP phones 109 and SIP clients 111 preferably support user log- in. By 
default, a given user may be associated with a particular communications terminal 
(telephone, mobile phone, pager, etc.) in the traditional sense. In addition, the user may 
approach one of the newer types of IP phone appliances and register his presence to 
receive calls at the given phone. Any inbound calls will then go to the most recently 
registered address. 

[52] Coupled with this mobility is the added aspect that a user may be known to others 
by multiple alternative names or "aliases." Multiple Aliases for a given user may resolve 
to a single user profile system 100 as described in U.S. Patent Application No. / 

2 (Attorney Docket No. RIC01062), filed on March 16, 2002, entitled 'TJser Aliases 

in a Communication System" by Gallant, the content of which is incorporated by 
reference in its entirety. Aliases may be of a variety of types including public and private 
telephone numbers, URLs, and SIP addresses. 

[53] From a fraud prevention standpoint, it may be considered advantageous that a 
unified user profile is maintained by the service provider or an authorized customer 
administrator, even though the user may be known by many such aliases. 
[54] To implement this mobility and to support new call control paradigms, control 
elements are provided in system 100 to coordinate the actions of network 101 in correctly 
routing traffic and executing features. In particular, system 100 comprises the important 
elements of a proxy server 113 (also known as a network server (NS)) and a location 
server (LS) 115. A typical functioning of these elements is described in IETF document 
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RFC 2543. Location server 115 serves as a repository for end user information to enable 
address validation, feature status, and real-time subscriber feature configuration. 
Additionally, LS 1 15 may store system configuration information. 
[55] An example of a typical interaction among proxy 113 and location server 1 15 in 
providing service is now explained in conjunction with FIG. 2. 

[56J In FIG. 2, User A 2 1 0 desires to establish communic ations with User B 220. User 
B 220 may be reachable at any one of several addresses. These addresses or contacts 
may correspond to conventional telephones, SP phones, wireless phones, pagers, etc. 
The list of addresses may even be changing as User B moves about and registers as being 
present at various terminal devices 222. The current information about User B's contact 
information is typically maintained in location server 240, or in some form of a "presence 
registry" coupled thereto. 

[57] To initiate contact, User A 210 accesses a terminal, calling station 212, and 
specifies User B as the destination to be reached. This expression of the specific desired 
destination may take the form of dialing of digits or of selecting a user name or URL- 
style address from a list. In some cases, User A may also be able to express what type of 
session is desired (video, high quality, messaging,etc.) or specify a desired quality level 
for the session. Once the request is specified at station 212, a SIP 'TNVITE" message 
describing the request is composed and sent to proxy server 230. 

[58] In some cases, where calling station 212 is in a different network than the 
transport network directly controlled by NS 1 13 and LS 115, the call may enter through a 
gateway 250. The role of gateway 250 in performing both signaling and media 
adaptation was described earlier. 

{59] Proxy server 230 typically forwards a request to location server 240 to retrieve 
one or more contacts at which User B might be reached. As described earlier, proxy 
server 230 consults location server 240 for a variety of purposes, such as invoking 
profile-controlled feature behavior and obtaining the latest known location information 
pertaining to User B. 

[60] Location server 240 analyzes the request and responds to proxy server 230 in one 
of several possible ways. Location server 240 may disallow the session if User A is not 
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permitted to contact User B, if User B's address cannot be recognized, or if User B has a 
feature activated that renders User B unreachable by User A. 

[61] Location server 240 may determine that User A is allowed to contact User B and 
may even find multiple addresses at which User B may be reachable. If this is the case, 
location server 240 returns a SIP "300 Multiple Choices" message containing a list of the 
contacts to be tried. 

[62] Upon receiving such a response, proxy server 230 then commences trying the 
contacts to see if User B can successfully be reached at any of the corresponding 
terminals 222. This "Find-Me" functionality is usually carried out in sequence starting 
with the most recent registered location or following a specific order as provisioned for 
User B (phone then pager). In some configurations, it is conceivable that proxy server 
230 may attempt all contacts in parallel. An attempt to establish contact with a terminal 
222 involves sending a SIP "INVITE" to the terminal and waiting for a reply indicative 
of success or failure. Once a terminal 222 responds with a SIP "200 OK" message or the 
like, stations 212 and 222 have shared addresses and possibly negotiated session 
parameters and are ready to communicate, possibly through an RTP data stream. A 
manner in which transport network resources are coordinated to establish this 
"connection" of sorts through the packet network, while assuring timely packet delivery, 
is described in copending applications U.S. Patent Application No. / (Attorney 
Docket No. RIC01040), filed on March 12, 2002, entided "Edge-Based Per -Flow QoS 
Admission Control in a Data Network" by McDysan et al.; U.S. Patent Application No. _ 
L 2 (Attorney Docket No. RIC01057), filed on March 12, 2002, entitled 'Tool- 
Based Resource Management in a Data Network" by McDysan et al.; and U.S. Patent 
Application No. / , (Attorney Docket No. RIC01058), filed on March 12, 2002, 
entitled "Policy-Based Synchronization of Per- Class Resources Between Routes in a Data 
Network" by McDysan et al.; the content of each which is incorporated by reference in its 
entirety. 

[63| The "Find-Me" feature is just one possible feature that may be supported and is of 
only moderate complexity compared to other possibilities. Further understanding of 
typical call flows in performing services may be obtained from the IETF document RFC 
2543. Other examples are provided in U.S. Patent Application No. / (Attorney 
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Docket No. RIC02006PR), filed on March 18, 2002, entitled "System for Providing 
Communication Services Over a Data Network" by Gallant et aL, the content of which is 
incorporated by reference in its entirety. 

[64] An example of a somewhat more involved feature relates to "call forwarding on 
screening" as is described in co-pending application U.S. Patent Application No. / 

2 (Attorney Docket No. RIC01063), filed on March 18, 2002, entitled "Call 

Forwarding on Screening" by Gallant, the content of which is incorporated by reference 
in its entirety. Basically call forwarding on screening refers to handling disallowed 
inbound calls other than by merely providing a busy signal to the caller. 
[651 In the course of performing service processing, network servers may handle very ' 
complex features and may even access multiple user profiles in the course of fulfilling a 
single session request. An example of a more complex feature implementation of this 
type is provided in U.S. Patent Application No. / (Attorney Docket No. 

RIC01017), filed on March 15, 2002, entitled "Recursive Query for Communications 
Network Data" by Gallant et aL, the content of which is incorporated by reference in its 
entirety. 

166] To further complicate matters, many features such as Find- Me and call-forward- 
on-screening may be invoked at the same time and may interact to some extent. This 
makes extensive, detailed recordation of usage activities all the more important to 
preventing unwanted network activity. Detailed recording can also help in 
troubleshooting anomalous feature behavior. 

[671 With the explanation thus far of how gateways and network servers are involved 
in handling traffic in system 100, it is evident that usage activity may be manifest in both 
such devices. These are points for measuring and monitoring network activity. The 
manner in which usage is monitored and reported for these elements will now be 
described. 

[68] Returning to FIG. 1 it is shown that system 10 0 further includes an Operational 
Support Systems (OSS) 121 to provide provisioning, billing, and network management 
capabilities. OSS 121 communicates with various elements, such as LS 115, to control 
how services are performed in system 100. This aspe ct may be referred to as service 
provisioning. For example, data stored in LS 1 15, such as user profile and routing data, 



14 



WO 02/075339 



PCT/US02/0832J 



may be altered by communications from OSS 121. OSS 121 may also serve as the portal 
through which users or administrators are able to change configuration settings, perhaps 
using a web-based user interface adapted to OSS 121. 

[69J Another important role of OSS 121 is that of network management, meaning 
monitoring and controlling the operational status of network elements. In a revenue 
bearing network, OSS 121 may also serve as a collector for billing records or so-called 
call detail records (CDRs). A call detail record is a form of usage activity record 
reflecting what has transpired in the network in the course of providing services. A CDR 
may be usefiil for billing, for traffic engineering, and for fraud monitoring. A billing 
function can process CDRs to ascertain billable usage by a service subscriber and 
accordingly calculate charges owed to the service provider. Such a rating and billing 
function 131 is shown coupled to OSS 121 to receive usage records from OSS 121. 
[70] Traditional CDRs have been of a rigidly established size and standard format. 
More recently, in the context of new developments in computing and with the advent of 
new service intelligence architectures, it has been recognized that transaction records may 
employ a more flexible XML-based structure. 

[71] Consequently, these records, known as TDRs(transaction detail records), are 
preferably collected by OSS 121 in an XML-type format from NS 113 and LS 115 to 
record many aspects of service processing events. Knowing what events have been 
handled by servers 113 and 115 allows functions like billing function 131 to then 
reconstruct the actions that were taken by system 100 in handling service requests. 
[72] For the purposes of billing, and perhaps traffic engineering, the same or similar 
XML-based transaction detail records (TDRs) may also be similarly collected and 
forwarded to rating and billing function 111. These would be handled in much the same 
manner as for CDRs described above. Examples of XML -based TDRs are provided in 
the following co-pending patent applications which are hereby incorporated by reference 
in their entireties: U.S. Patent Application No. 10/023,297 (Attorney Docket No. 
CDR01004), filed on December 17, 2001, entitled "Method for Recording Events in an 
IP Network" by Vijay; and U.S. Patent Application No. / , (Attorney Docket 
No. RIC01019), filed on March 15, 2002, entitled "XML Based Transaction De tail 
Records" by Gallant et al. 
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[73] In conjunction with such records, at least one means for facilitating proper billing 
of network usage is further described in copending application U.S. Patent Application 
No. 10/036,667 (Attorney Docket No. RIC010 16), filed on December 21, 2001, entitled 
"Method for Billing in a Telecommunications Network " by Gallant et al., the content of 
which is incorporated by reference in its entirety. 

|74] In accordance with a novel aspect of the present invention, network gateway 107 
also provides a form of transaction record to be collected by OSS 121. Because of the 
interface to the telephone network signaling, this record resembles a traditional CDR in 
carrying such fields as dialed number, called number, switch and trunk IDs, etc. 
However, as an advantageous and novel aspect of the present invention and by virtue of 
its being coupled to system 100, several new and very useful additional data are added to 
the record that are not contemplated in the prior art. These additional data have become 
available and meaningful in die context of practical implementation of packet telephony 
using gateways. 

[75J Examples of these additional data are evident in FIG. 6, which is a diagram of a 
data structure for conveying recorded usage of a communication s system in accordance 
with an exemplary embodiment of the present invention. 

[76] In FIG. 6 a record 600 is shown to comprise numerous fields, the significance of 
which may be summarized as follows: 

[771 Call Start Time 602 - The time that the service request is initiated and the time 

that the service session started. These two values may differ. 

[78J Call Stop Time 604 - The time that the service session is disconnected 

[79] User Identity 606 - The identity (user name/id) of the user who initiated the 

session, if available. 

[80] Originating Information 608 - Information pertaining to the originating end of the 
connection or session, which may be the public or private number, perhaps including a 
country code, from where the session originates. As appropriate, the originating IP 
address and/or the Ingress Gateway IP address may also be included. 
[811 Terminating Information 610 - Information pertaining to the terminating end of 
the connection or session, which may be the public or private number, perhaps including 
a country code, where the session reaches or attempts to reach a terminating party. As 
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appropriate, the originating IP address and/or the Egress Gateway IP address may also be 
included. 

[82J Pretranslated Digits 612 - If available, the originally dialed number before 
undergoing number translation during feature processing. This may be different than the 
number to which the call ultimately terminates, especially in the case of private dialing 
plans. 

1 83) Call Type 614 - Classification based on types of terminating devices involved. 
Examples are phone-to-phone, phone-to- PC, PC-to-PC, etc. 

|84J Call Disposition 616 - Disconnect cause or how the session terminated 
(destination answered, busy,ring -no ansswer, out of service, etc.) 

1 85] Billed Number 618 - Party or account to be charged for usage. In the context of 
fraud monitoring this field affects how events are counted in the operation of some of the 
algorithms later described herein. 

[86] Service Type 620 - Indicates services used or features invoked. 

[87] CorpID 622 - Identification of a customer (corporation), perhaps encoded as a 

private dialing plan ID code. 

[88] Origin Switch / Trunk 624 - Identifies the telephone network switch receiving the 
call from the Network Gateway. 

[89] Ingress Gateway IP Address 626 - The IP address of a gateway by which the call 
enters the domain of network 101 . 

[90] Egress Gateway IP Address 628 - The IP address of a gateway by which the call 
leaves the domain of network 101. 

[91 J Bytes Received 630 - Related to the number of bytes transferred during the 
session from one party to another. 

[92] Bytes Sent 632 - Bytes transmitted in opposite direction of Bytes Received 628. 
[93] SessionJD 634 - Unique session identifier designating a session, even 
encompassing multiple parties or connections associated with a collective session such as 
a conference bridge. 

[94] Conn ID 636 - Identifies a particular "call leg" or connection in a session. 

[95] Remote Access Number 638 - If applicable, a remote access number used to 

access the network. 
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f96] Remote Access Number 638 relates to calling a DAL gateway (not shown) or 
other means to access VPN functions from a phone, such as a public telephone, that is not 
directly served by system 100. A DAL gateway may be able to service multiple VPN 
customers in system 100. This practice further motivates accurate recording of netwo rk 
transactions in detail, such as by noting the Remote Access Number when appropriate. 
An approach to providing shared DAL gateway resources is described further in U.S. 
Patent Application No. / (Attorney Docket No. RIC01018), filed on M arch 15, 

2002, entitled "Shared Dedicated Access Line (DAL) Gateway Routing Discrimination'' 
by Gallant, the content of which is incorporated by reference in its entirety. 
[97) The examples of FIG. 6 are should not be construed to limit the many possible 
elements that could be useful to record. Other examples of values to record are the IP 
address of the proxy receiving the SIP "INVITE" message corresponding to a user's 
session request. It is worth noting that fields 626, 630, 632, 634, 636, 638 of structure 
600 are all introduced or at least given significance by the advent of packet telephony 
system. 

[98] Returning again to FIG 1 , the OSS 121 is shown to interface with a fraud monitor 
or fraud analyzer 133, which supports packet-switched (e.g., IP -based) and switch-based 
monitoring functions. That is, the integrated fraud monitoring system 133, in accordance 
with novel aspects of the present invention, may analyze circuit-switched traffic as well 
as packet-switched traffic, thereby providing improved monitoring of network usage. 
Fraud monitoring via the integrated fraud monitoring system 133 may help prevent losses 
by a customer, due to customer premise abuses for which the customer may be liable, and 
the service provider, due to un-billable traffic abuses or liability-sharing agreements 
pertaining to customer premise abuse. 

199] The fraud monitoring system 133 provides a number of functional capabilities to 
system 100. For example, the fraud monitoring system 133 ensures that IP -based 
services provided to customers offer at least a comparable level of fraud monitoring as 
available for circuit-switched services. The system 133 monitors and detects fraud 
vulnerabilities for IP network customers, which include employee abuse, illegal or 
unintended remote access, incorrect dialing plan configurations, compromised IP 
addresses/user IDs/passwords, subscription fraud, and social engineering. The coupling 
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of fraud monitoring system 133 to the remainder of system 100 reinforces the use of 
network security measures by detecting patterns indicative of possible security breaches. 
[100J To understand the respective roles of OSS 121 and fraud monitor 133, several 
functional aspects are now discussed in conjunction with FIG. 3. In support of collection 
of transaction records, OSS 121 is shown to comprise numerous functional components. 
It should be understood that OSS 121 may comprise many other elements, which are not 
explicitly shown, to support the other OSS roles described earlier. 
[101] A temporary collection point for transactions records is depicted in FIG. 3 as data 
store 320. As those of skill in the art will appreciate, such records may be stored in any 
suitable format that does not cause the loss of essential information. In a reduction to 
practice, such records are stored in a format compatible with a commercial product 
available from Xacct Technologies. For convenience, these records are referred to herein 
as "XDRs" and are based upon XML. Transaction records received along inputs to OSS 
121 may be accumulated in store 320 as XDRs. 

[102] In FIG. 3., OSS 121 comprises CDR receiving means 304 operates to receive 
CDRs from network gateway(s) along input 302. Input 302 may represent a coupling to 
data network 101 as was depicted in FIG. 1 . 

{103] A CDR incident along input 302 is receiv ed by CDR receiver 304 and passed to a 
CDR-XDR converter 310. Converter 310 creates an XDR and then populates fields 
based on values parsed from the CDR. Many values, such as a dialed telephone number, 
may be simply copied from the CDR into the XDR. 

[104] Next, the XDR may be passed to a CORPJD resolving element 312, which 
examines such information as the IP addresses and telephone numbers in the CDR, or 
perhaps the IP address of the network gateway that the CDR came from, and determines a 
CORPJD corresponding to the enterprise customer to which the record pertains. This is 
an important part of later correlating records and performing billing and fraud 
monitoring. 

[1 05] The XDR may next be processed by an XDR augmenting means 314, whereby the 
CORPJD is added to the XDR. It is contemplated that other values derived relating to 
the CDR may also be added at this point. The complete converted XDR may then be 
stored by OSS 121 in data store 320 for later retrieval. 
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1 106] Along with XDRs derived from CDRs received from network gateways, XML 
transaction detail records (TDRs) may also be received along input 306 by TDR receiver 
308 and stored in data store 320. Once stored in a consistent XDR format, these records 
in are made available to billing function 131 and fraud monitor 133. 
|1071 In a practical implementation, OSS 121 may involve communications with a 
variety of network elements, and perhaps among a variety of computing environments or 
platforms. Implementations of OSS 121 to facilitate provisioning and communications 
with network elements and with "back -office" functions, like fraud monitor 133, are 
described in the following co -pending applications: U.S. Patent Application No. / 

s (Attorney Docket No. ASH01002), filed on March 15, 2002, entitled "Operatio nal 

Support System for Telecommunication Services'* by Robohm et al.; U.S. Patent 
Application No. / , (Attorney Docket No. ASH01007), filed on March 15, 2002, 
entitled "Systems and Methods for Communicating from an Integration Platform to a 
Lightweight Directory Assistance" by Trivedi; U.S. Patent Application No. / 
(Attorney Docket No. ASH01008), filed on March 15, 2002, entitled "Systems and 
Methods for Communicating from an Integration Platform to a Provisioning Server" by 
Trivedi; U.S. Patent Application No. / (Attorney Docket No. ASH01009), 

filed on March 15, 2002, entitled "Systems and Methods for Updating IP Communication 
Service Attributes Using a LDAP" by Robohm; US. Patent Application No. / 
(Attorney Docket No. ASH01010), filed on March 15, 2002, entitled "Systems and 
Methods for Interfacing with a Billing and Account Management Unit" by Robohm et al.; 
U.S. Patent Application No. / (Attorney Docket No. ASH01011), filed on 

March 15, 2002, entitled "Systems and Methods for Retrieving and Mo(iifying Data 
Records for Rating and Billing Purposes" by Leskuski; U.S. Patent Application No. _ 
/ . (Attorney Docket No. ASH01012), filed on March 15, 2002, entitled "Systems 
and Methods for Updating a LDAP" by Trivedi et al.; U.S. Patent Application No. / 

, (Attorney Docket No. ASH01013), filed on March 15, 2002, entitled "Systems and 

Methods for Collecting and Rating Contact Center Usage" by Holmes; U.S. Patent 
Application No. / . (Attorney Docket No. ASH01014), filed on March 15, 2002, 
entitled "Systems and Methods for Updating IP Communication Service Attributes" by 
Robohm; US. Patent Application No. / (Attorney Docket No. ASH01015), 
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filed on March 15, 2002, entitled "Systems and Methods for Communicating from an 
Integration Platform to a Billing Unit" by Trivedi; U.S. Patent Application No. / 

i (Attorney Docket No. ASH01016), filed on March 15, 2002, entitled "Systems and 

Methods for Communicating from an Integration Platform to a Profile Management 
Server" by Trivedi; U.S. Patent Application No. / (Attorney Docket No. 

ASH01018), filed on March 15, 2002, entitled "Systems and Methods for Accessing and 
Reporting Services" by Leskuski et aL; the content of each of which is incorporated by 
reference in its entirety. 

[108] With reference now to FIG. 7, the manner in which fraud monitor 133 may make 
use of such records is now described. XDRs are provided at input 702. Record 
Correlator 714 serves to examine a group of XDRs and find those that all relate to the 
same session or service instance that transpired. For example, a call traversing both data 
network 101 and telephone network 137 in FIG. 1. will likely cause multiple records to 
be independently generated by network gateway and by one or more network servers 
113,115. 

[109J In a novel manner, Record Correlator 714 builds a composite model of service 
execution comprising records from both the circuit-switched domain and the packet - 
switched domain. It may be said at this point that the records, even arriving from diverse 
sources, are effectively combined into a single description of processing for each given 
session that occurred in the system. 

[110J Record Normalizing and Preprocessing module 712 performs simple 
preprocessing, such as calculating call duration based on start time and stop time of the 
call. Module 712 may also examine addresses or numbers to determine if a given call 
involved long distance or international calling. These are useful parameters for fraud 
analyses that follow. Module 712 may also map some fields in the XDR to a normalized 
format amenable to the fraud processing. It is possible that the processing of record 
correlation and normalizing/preprocessing may be occur in different order or be 
intermixed. 

[Ill] Finally, fraud analysis engine 710 analyzes composite information regarding 
usage activities reported by the input XDRs and looks for patterns of fraud. Either as 
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comprehensive report of data, of findings, or of exceeded thresholds, engine 710 may 
generate a report 720 describing the results of the fraud monitoring or analysis. 
[1121 Using fraud analyisis engine 710, a normalized record, in an exemplary 
embodiment, may be monitored for the following fraud characteristics:" Long Duration 
Calls, Originating/Terminating Combination, Hot Originating or Terminating 
Number/Address, Call Velocity Based on Location, Long Duration Velocity on 
Originating Number/Address, Short Duration Velocity on Billed Number, Long Duration 
Velocity on Billed Number, and Aggregate Duration. 

1 113] A Long Duration Calls alarm is generated when a single completed call meets or 
exceeds the long duration threshold. For example, the alarm is triggered when an off-net 
international IP telephony session is greater than a predetermined threshold (e.g., 2 
hours). 

[114] An Originating/Terminating Combination alarm is generated if a completed call 
originating from X and terminating to Y exceeds a specific duration. X an d Y can be 
countries, area codes, Gateway IP addresses, or any other predefined parameter 
specifying a location. For example, an alarm is generated when an off-net international 
IP telephony session greater than, for example, 10 minutes originates from th e US and 
terminates to Grenada. 

[115] Another alarm type, a Hot Originating or Terminating Number/Address alarm, is 
generated when a call originates from a specific calling party number or IP address, or 
terminates to a specific called party number or IP address. This is used in alarming on 
calls to or from known suspect numbers — either private numbers, public numbers, or IP 
addresses. 

[116] A Call Velocity Based on Location type of alarm is generated when a number of 
completed calls over a configurable time period, originating from a user defined gateway 
address, and terminating to a user defined country code list, meets or exceeds the 
threshold. For example, a high number of calls originating from a specific Enterprise 
Gateway to a party-line country could signal a compromise in that part of the customer's 
network. In a circuit-switched environment, this type of fraud is known as "Clip-On" 
fraud where the calls are originating from a specific switch/trunk. 
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[1171 The Short Duration Velocity on Originating Number/Address alarm is generated 
when the number of calls over a predefined time interval from the same calling party 
number (or IP address), with a duration equal to or less than a configurable time value, 
meets or exceeds a threshold. This alarm type is used in detecting remote access fraud, 
for example, someone trying to hack a user ID/password, or someone trying to perform 
social engineering. 

[118] The Long Duration Velocity on Originating Number/Address alarm is generated 
when the number of calls over a predefined time interval from the same calling party 
number (or IP address), with a duration equal to or greater than a configurable time value, 
meets or exceeds a threshold. This alarm type is also used in detecting remote access 
fraud, for example, someone who has gained access through a compromised user 
ID/password. 

[1191 With respect to the Short Duration Velocity on Billed Number alarm, this type of 
alarm is similar to the Short Duration Velocity on Originating Number/Address alarm, 
with the exception that the count is on calls from the same Billed Number (for example, 
all calls from the same originating dialing plan ID). 

[120] Likewise, the Long Duration Velocity on Billed Number alarm is similar to the 
Long Duration Velocity on Originating Number/Address alarm, except that the count is 
on calls from the same Billed Number (for example, all calls from the same originating 
dialing plan ID). 

[121] An Aggregate Duration alarm is generated when one or more completed calls on a 
billed number meets or exceeds a threshold for cumulative duration x, over an interval 
time, L This alarm type is used for someone who had learned to "surf under the 
thresholds." For example, if it is discovered that the long duration threshold is 60 
minutes, this aggregate counting will catch someone who makes a series of 59 minute 
calls. Unique thresholds can be established based on several system parameters (billing 
method, billing number, etc.) Also, because this is business traffic, thresholds can be 
established for business, non -business, and non-business weeken d hours. 
[122] The integrated fraud monitoring system 133 may also comprise neural network 
and clustering Artificial Intelligence algorithms available to monitor for fraudulent 
calling patterns; a co-pending application (Serial No. 10/041,549) by Tayebnejad et al 9 
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entitled "An Artificial Intelligence Trending System," filed on January 10, 2002, 
describes the neural network and associated algorithms in detail and is incorporated 
herein by reference in its entirety. 

[123] To now summarize the collective processes of OSS 121 and fraud monitor 133, 
FIG. 4 generally depicts a process 400 for performing record collection and fraud 
monitoring in accordance with an exemplary embodiment of the present invention. 
[124J In FIG. 4, process 400 begins in step 402 when a fraud analysis is desired. This 
may be manually triggered network personnel or may be automatically timed to occur. 
Process 400 may also run continuously depending on the implementation and the desired 
operation chosen. 

[125] Then, in step 404, one or more CDRs are obtained from a network gateway and in 
step 406, these CDRs are translated into XDRs. 

[126] In step 408, a CORPJD is determined and added to each XDR in step 410. This 

corresponds to the actions of element 312 and 314 in OSS 121 described earlier. 

[127] In step 412, the resulting XDRs steniming from gateway traffic are correlated 

with those from network servers, if any. It is not essential that any of the latter are 

present. Consistent with the present teachings, fraud monitor 133 may analyze a body of 

records that is entirely circuit-switched or entirely packet -switched or any mixture 

thereof. 

[128] Those of skill in the art will recognize that process 400 is merely illustrative and 
that, in practice, the collection of both CDRs and XDRs will likely take place on an 
ongoing and concurrent basis and in no particular sequence. The order of steps 404 and 
412 depicted in FIG. 4 does not imply strict sequencing. It is also worth noting that the 
processing steps of process 400 may be divided differently among the OSS 121 and fraud 
monitor 133 without deviating from the spirit and scope of the present invention. 
[129] In step 414, the correlated groups of records are then normalized or pre -processed 
as described for module 712. 

[130] Step 416 involves applying the fraud monitoring algorithms to the observed call 
parameters and determining whether any fraud patterns are evident therein. 
[131] The results of this analysis, whether a list of observations or actual alarms to 
network personnel, are output in step 41 8 and then process 400 concludes in step 420. 
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[132] An exemplary XDR feed to the system 133 may be over a socket-based, TCP/IP 
connection. The system 133, according to one embodiment of the present invention, 
employs a "near-real time" delivery of call records; near real-time for this feed means 
that the OSS 121 will deliver each customized record to the integrated fraud monitoring 
system 133 within a predetermined time (e.g., in minutes) from the time that the XDR is 

created. If the TCP connection to the integrated fraud monitoring system 133 is lo st, the 

» 

data is buffered and transmitted when the connection is re-established. 
[133J FIG. 5 illustrates a computer system 500 within which an embodiment according 
to the present invention can be implemented. The computer system 500 includes a bus 
501 or other communication mechanism for communicating information, and a processor 
503 coupled to the bus 501 for processing information. The computer system 500 also 
includes main memory 505, such as a random access memory (RAM) or other dynamic 
storage device, coupled to the bus 501 for storing information and instructions to be 
executed by the processor 503. Main memory 505 can also be used for storing temporary 
variables or other intermediate information during execution of instructions to be 
executed by the processor 503. The computer system 500 further includes a read only 
memory (ROM) 507 or other static storage device coupled to the bus 501 for storing 
static information and instructions for the processor 503. A storage device 509, such as a 
magnetic disk or optical disk, is additionally coupled to the bus 501 for storing 
information and instructions. 

[1341 The computer system 500 may be coupled via the bus 501 to a display 511, such 
as a cathode ray tube (CRT), liquid crystal display, active matrix display, or plasma 
display, for displaying information to a computer user. An input device 513, such as a 
keyboard including alphanumeric and other keys, is coupled to the bus 501 for 
communicating information and command selections to the processor 503. Another type 
of user input device is cursor control 515, such as a mouse, a trackball, or cursor direction 
keys for communicating direction information and command selections to the processor 
503 and for controlling cursor movement on the display 511. 

[135] According to one embodiment of the invention, the SIP server functionalities are 
provided by the computer system 500 in response to the processor 503 executing an 
arrangement of instructions contained in main memory 505. Such instructions can be 
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read into main memory 505 from another computer-readable medium, such as the storage 
device 509. Execution of the arrangement of instructions contained in main memory 505 
causes the processor 503 to perform the process steps described herein. One or more 
processors in a multi-processing arrangement may also be employed to execute the 
instructions contained in main memory 505. In alternative embodiments, hard-wired 
circuitry may be used in place of or in combination with software instructions to 
implement the embodiment of the present invention. Thus, embodiments of the present 
invention are not limited to any specific combination of hardware circuitry and software. 
[136] The computer system 500 also includes a communication interface 517 coupled to 
bus 501. The communication interface 517 provides a two-way data communication 
coupling to a network link 519 connected to a local network 521. For example, the 
communication interface 517 may be a digital subscriber line (DSL) card or modem, an 
integrated services digital network (ISDN) card, a cable modem, or a telephone modem 
to provide a data communication connection to a corresponding type of telephone line. 
As another example, communication interface 517 may be a local area network (LAN) 
card (e.g. for Ethernet™ or an Asynchronous Transfer Model (ATM) network) to provide 
a data communication connection to a compatible LAN. Wireless links can also be 
implemented. In any such implementation, communication interface 517 sends and 
receives electrical, electromagnetic, or optical signals that carry digital data streams 
representing various types of information. Further, the communication interface 517 can 
include peripheral interface, devices, such as a Universal Serial Bus (USB) interface, a 
PCMCIA (Personal Computer Memory Card International Association) interface, etc. 
Although only a single communication interface 517 is shown, it is recognized that 
multiple communication interfaces may be employed to communicate with different 
networks and devices. 

[137] The network link 5 1 9 typically prov ides data communication through one or more 
networks to other data devices. For example, the network link 519 may provide a 
connection through local network 521 to a host computer 523, which has connectivity to 
a network 525 (e.g. a wide area network (WAN ) or the global packet data communication 
network now commonly referred to as the "Internet") or to data equipment operated by 
service provider. The local network 521 and network 525 both use electrical, 
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electromagnetic, or optical signals to convey information and instructions. The signals 
through the various networks and the signals on network link 519 and through 
communication interface 517, which communicate digital data with computer system 
500, are exemplary forms of carrier waves bearing the inform ation and instructions. 
[138] The computer system 500 can send messages and receive data, including program 
code, through the networks, network link 519, and communication interface 517. In the 
Internet example, a server (not shown) might transmit requested code belonging an 
application program for implementing an embodiment of the present invention through 
the network 525, local network 521 and communication interface 517. The processor 
504 may execute the transmitted code while being received and/or store the code in 
storage device 509, or other non -volatile storage for later execution. In this manner, 
computer system 500 may obtain application code in the form of a carrier wave. 
[139J The term "computer-readable medium" as used herein refers to any medium that 
participates in providing instructions to the processor 504 for execution. Such a medium 
may take many forms, including but not limited to non -volatile media, volatile media, 
and transmission media. Non-volatile media include, for example, optical or magne tic 
disks, such as storage device 509. Volatile media include dynamic memory, such as 
main memory 505. Transmission media include coaxial cables, copper wire and fiber 
optics, including the wires that comprise bus 501. Transmission media can also take the 
form of acoustic, optical, or electromagnetic waves, such as those generated during radio 
frequency (RF) and infrared (IR) data communications. Common forms of computer - 
readable media include, for example, a floppy disk, a flexible disk, hard disk, mag netic 
tape, any other magnetic medium, a CD-ROM, CDRW, DVD, any other optical medium, 
punch cards, paper tape, optical mark sheets, any other physical medium with patterns of 
holes or other optically recognizable indicia, a RAM, a PROM, and EPROM, a FLASH - 
EPROM, any other memory chip or cartridge, a carrier wave, or any other medium from 
which a computer can read. 

[140] Various forms of computer-readable media may be involved in providing 
instructions to a processor for execution. For example, the instructions for carrying out at 
least part of the present invention may initially be borne on a magnetic disk of a remote 
computer. In such a scenario, the remote computer loads the instructions into main 
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memory and sends the instructions over a telephone line using a modem. A modem of a 
local computer system receives the data on the telephone line and uses an infrared 
transmitter to convert the data to an infrared signal and transmit the infrared signal to a 
portable computing device, such as a personal digital assistance (PDA) and a laptop. An 
infrared detector on the portable computing device receives the information and 
instructions borne by the infrared signal and places the data on a bus. The bus conveys 
the data to main memory, from which a processor retrieves and executes the instructions. 
The instructions received by main memory may optionally be stored on storage device 
either before or after execution by processor. 

[141] Additionally, other interesting information can be found in the following table, in 
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1142] While the present invention has been described in connection with a number of 
embodiments and implementations by way of example, the present invention is not 
limited to such embodiments. Those of ordinary skill in the art will recognize that many 
implementations are possible within the spirit and scope of the invention as may be 
construed from the following claims. 
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WHAT IS CLAIMED IS: 

1 . A method for monitoring activity in a communications system comprising the 
steps of: 

obtaining at least one first record relating to activity in a first transport network; 
obtaining at least one second record relating to activity in a second transport 
network; 

determining that the first record and second record are both associated with a 
communications session; 

determining at least one aspect of the communications session based upon content 
of both the first record and the second record. 

2. The method of claim 1 wherein the first record is formatted differently than the 
second record. 

3. The method of claim 1 wherein at least one of the first record and the second 
record pertains to the action of a gateway coupling the first transport and the second 
transport network. 

4. The method of claim 1 further comprising the step of combining the first record with 
the second record to form a composite record of activity. 

5. The method of claim 4 further comprising the step of converting the first record 
into the format of the second record. 

6. The method of claim 4 further comprising the step of translating both the first 
record and second record into a common format. 

7. The method of claim 4 further comprising the s tep of adding to the first record 
additional information related to at least one aspect of the second transport network. 
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8. The method of claim 7 wherein the additional information is a data network 
address in an address space of the second transport network. 
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